Assessment Practical Observation

Student Name: CIT Number:

Competency Title, Code

and Banner Code VU23217 Recognise the need for cyber security in an Organisation
CRN

Assessment Type ☒ Written ☐ Case Study ☒ Practical ☐ Assignment ☐ Other

Assessment Name Assessment 2: Cyber awareness for an Organisation

Assessment Date

Student Statement: This assessment is my own work. Any ideas and comments made by other people have been
acknowledged. I understand that by emailing or submitting this assessment electronically, I agree to this statement.

Student Signature: Date: / /

PRIVACY DISCLAIMER: CIT is collecting your personal information for assessment purposes. The information will only
be used in accordance with the CIT Privacy Policy.

Assessor Feedback (also complete observation checklist and questions on the last page)

☐ Student provided with feedback

Attempt 1 ☐ Satisfactory ☐ Not Yet Satisfactory Date: / /

Attempt 2 ☐ Satisfactory ☐ Not Yet Satisfactory Date: / /

Assessor Name: Assessor Signature:

Note from Assessor: Please record any reasonable adjustment that has occurred for this assessment.

© Canberra Institute of Technology Page 1 of 7 Date created: 24/08/2012

CRICOS No. 00001K | RTO Code 0101 Date updated: 30/08/2023
Assessment Task Instructions for Students

In this assessment, you are required to complete three tasks, which include multiple choice and short answers questions

Covering the following topics:

 Cyber security framework and standard

 Types Organisational threats
 Current types of security vulnerabilities and malware
 Techniques used by attackers
 Relationships between networks, machines, users and applications in an enterprise
 Concepts and methods of cyber threats and attacks
 Reasons and methods to protect data and privacy
 Methods and tools to safeguard personal privacy are defined
 Techniques to protect personal devices and data are described and implemented
 Methods for protecting an organisation from cyber-attacks are developed and evaluated
 Problem solving threats and vulnerabilities

Time allowed: see subject guide

Assessment range and conditions:

 This is an individual assessment.

 Confirm anything you are not sure about the project with your manager (teacher/assessor). It is essential that you
have a clear understanding of the scenario and tasks that you need to complete.
 Use the templates provided to complete the assessment task.
 All tasks must be completed satisfactorily. If you do not complete an action in full, your assessor may ask to you
provide more information.

Materials provided:

 Access to PCs and peripherals

 Access to the Internet and eLearn (LMS)
 Access to software programs and tools, text editor and Word processing software, such as Microsoft Word and
Microsoft PowerPoint.

Materials you may need:

• Assessment documentation,
• BYOD
• Access to eLearn and learning resources
• Internet
• MS Word

Information for students: You may have two (2) attempts for this assessment.

 If your first attempt is not successful, your teacher will discuss your results with you and will arrange a second
attempt.

© Canberra Institute of Technology Page 2 of 7 Date created: 24/08/2012

CRICOS No. 00001K | RTO Code 0101 Date updated: 30/08/2023
 If your second attempt is not successful, you will be required to re-enrol in this unit.

Only one re-assessment attempt will be granted for each assessment item.

TASK 1
1.1 What is the National Institute of Standards and Technology (NIST) cyber security framework and what are its
functions? How can it assist organisations to protect themselves from cyber threats? (max 150 words)

Answer: The National Institute of Standards and Technology (NIST) cybersecurity framework is a set of guidelines,
standards, and best practices to manage and reduce cybersecurity risks for organizations. It functions by providing a
structured approach to identify, protect, detect, respond, and recover from cybersecurity threats. It assists
organizations in protecting themselves by offering a common language to communicate about cybersecurity,
assessing and managing risks, and establishing a foundation for better cybersecurity practices.

1.2 Define/explain each of the following terminologies in your own words: (max 50 words each)

a) Incident Response policies and processes.

These are predefined procedures outlining actions to be taken in case of a security breach or cyber incident.

b) Threat Actors
Individuals, groups, or organizations responsible for executing cyber-attacks.

c) Threat Vectors
Paths or methods through which threats gain access to systems.

d) Threat Goals
Objectives pursued by threat actors in a cyber-attack.

e) Logical and Physical access control

Techniques restricting access to systems and physical locations.

f) Firewall
A security barrier that filters incoming and outgoing network traffic.

g) Gateway
A point where two different networks connect and data is transferred.

h) Botnets
Networks of compromised computers controlled by attackers for malicious purposes.
i) Cyber Kill chain
Phases of a cyber-attack from reconnaissance to exfiltration.

j) MITRE Adversarial Tactics, Techniques and Common Knowledge (ATT&CK)

A framework categorizing adversarial tactics and techniques.

k) IoT Devices – Please provide at least two IoT examples

Examples include smart thermostats and wearable fitness trackers.

© Canberra Institute of Technology Page 3 of 7 Date created: 24/08/2012

CRICOS No. 00001K | RTO Code 0101 Date updated: 30/08/2023
 l) Explain two security vulnerabilities in IoT devices

Security Vulnerabilities in IoT devices:

1.Lack of timely security updates.

2. Insufficient encryption leading to data exposure.

TASK 2
Scenario:

Consider your office where you may have a computer, telephone, smart board, TV monitor or Multi-Functional Devices
(e.g. printer, scanner, fax). You perform daily activities on your computer such as, reading, writing and sending emails. You
also prepare reports and notes using Microsoft office packages and several other software applications as required by the
workplace.

We can protect personal device and data from threats easily by applying security measures. For example, enforcing a
strong password mechanism. Passwords are widely used to enforce authentication techniques to protect personal devices
and accounts.

Attackers will use many techniques to learn users’ passwords and gain unauthorised access to a resource or data. To
protect and safeguard your personal devices and information, it is important to understand what makes a strong password
and how to store it securely. You can also protect personal and sensitive data for privacy purposes by creating password-
protected files. In addition, it is also good practice to know about malware. Malware is sometimes designed to take your
personal data, so it is good to identify, block, and remove them.

2.1 Strong passwords have four main requirements listed in order of importance:

1. The user can easily remember the password.

2. It is not trivial for any other person to guess a password.
3. It is not trivial for a program to guess or discover a password.
4. Must be complex, containing numbers, symbols and a mix of upper case and lower case letters.
Answer :2.1 Strong passwords should:
- Be memorable.
- Be difficult to guess.
- Resist automated guessing.
- Contain a mix of characters.

Based on the list above, the first requirement is probably the most important because you need to be able to remember
your password. For example, the password #4ssFrX^- aartPOknx25_70!xAdk<d! is considered a strong password because it
satisfies the last three requirements, but it is very difficult to remember.

Many organisations require passwords to contain a combination of numbers, symbols, and lower and upper case letters.
Passwords that conform to that policy are fine as long as they are easy for the user to remember.

Below is a sample password policy set for a typical organisation:

• The password must be at least 8 characters long

• The password must contain upper- and lower-case letters
• The password must contain a number

© Canberra Institute of Technology Page 4 of 7 Date created: 24/08/2012

CRICOS No. 00001K | RTO Code 0101 Date updated: 30/08/2023
 • The password must contain a non-alphanumeric character

A good way to create strong passwords is to choose four or more random words and string them together. The password
televisionfrogbootschurch is stronger than J0n@than#81. Notice that while the second password is in compliance with the
policies described above, password cracker programs are very efficient at guessing that type of password. While many
password policy sets will not accept the first password, televisionfrogbootschurch, which is much stronger than the
second. It is easier for the user to remember (especially if associated with an image), it is very long and its random factor
makes it hard for password crackers to guess it.

Using an online password creation tool, create passwords based on the common company password policy set described
above.

Steps

1. Open a web browser and go to http://passwordsgenerator.net

2. Select the options to conform to password policy set. (provide screen capture)
3. Generate the password.
4. Write down or provide screen capture of the password generated by the website and provide your response on
the strength of the password. (max 100 words)

2.2 Protecting the personal data for privacy access and gaining a good logical access control.

Perform the following:

1. Open a Microsoft word document and write something in it. Next, create a password for that file and save it to
your desktop. Please provide screenshots of the steps you perform.

2. Place the document in a folder. Share this this folder with someone. Then, change the permissions for the shared
user to only be able to see ‘List folder contents’ and ‘Read’ for this shared folder. Please provide screen capture of
the steps you perform.

3. Open the document and unlock it by entering the correct password. Please provide screen capture of the steps
you performed.

2.3 Follow the below steps to check whether your computer can identify any suspicious files such as malware. (note
that this file will not cause any harm to your computer, it is a simple trial task).

Download the file called “eicar.com” from (https://www.eicar.org/download-anti-malware-testfile/). You will be

able to see the similar viewing in the website as below:

© Canberra Institute of Technology Page 5 of 7 Date created: 24/08/2012

CRICOS No. 00001K | RTO Code 0101 Date updated: 30/08/2023
 1. If your computer is secured, it will display a message noting that the file is blocked or something similar to this.
Please take a screen capture of that and place it here.

2. If a message does not appear, you can consider that the machine needs attention from a security perspective (e.g.
installing or updating your anti-virus software or Operating System). Take a screen capture of this case and put it
here.

TASK 3
Scenario:

WIDGET accounting is a small company located in Belconnen in the ACT. They have 15 employees, including an Office
Manager and the Business Owner. Ten of the employees work onsite at the office, whilst the remaining five work remotely
from home or at a client’s premises. Responsibility for ICT resides with their Office Manager, who is working their way
through a TAFE ICT course in their spare time.

WIDGET’s ICT Infrastructure consists of the following:

• All the staff use laptops with Windows 10 Pro as the SOE. These are all standard licenses, are patched and do NOT
have security software installed. Staff are free to choose their own passwords for their individual machines.
• The business has recently moved to the Office 365 Business subscription service for Microsoft Office applications.
• Wireless internet access for office staff is provided via ADSL using a D-Link-2740B wireless router and the Wi-Fi
password is publicly available. Staff are permitted to connect their mobiles, laptops and other electronic devices
through this wireless network. They also can form an internet-of-things structure by connecting these devices at
the same time for work purposes.
• Wired network and internet access is also provided by a recently installed NETGEAR JGS524 24-Port Gigabit
Switch. There are 20 network jacks available, which can be used to connect any physical computing devices.
Couple of jacks are located in the public area of the office accessible to clients and visitors.
• Staff working remotely use either their personal mobile phones as hot spots or their home internet connections
to connect to the internet, and they do not have any password policy enforced.
• Sensitive data is stored on laptops, servers and the NAS without using cryptographic techniques.
• Employees share passwords and logins with each other if they are having difficulty logging in or they need to
access to material on other machines.

© Canberra Institute of Technology Page 6 of 7 Date created: 24/08/2012

CRICOS No. 00001K | RTO Code 0101 Date updated: 30/08/2023
 • The business does not have a website and instead conduct marketing campaigns through a Facebook page and a
Twitter account. The user name and password for these services are the same as the Business Owner’s username
and password for his work laptop.
• You are asked as an external security expert to evaluate Widget Accounting’s current physical security
infrastructure.

3.1 a) Define how the components of WIDGET’S infrastructure in relation to data, networks, machines, users and
applications are interconnected with each other. Also, Identify 3 security gaps for WIDGET’s infrastructure.
Ans: Components are interconnected in WIDGET's infrastructure through laptops, wireless and wired
networks, internet services, and shared data storage. Security gaps include lack of security software, weak
password policies, and sharing of passwords.

b) Please draw a simple diagram to demonstrate how the components are interconnected with each other.

Ans: Create a diagram showcasing laptops, wireless router, wired switch, internet, and connections. Indicate
the security gaps.

3.2 a) Identify 3 security gaps for WIDGET’s infrastructure that makes the devices or components vulnerable.

Ans: Security gaps include lack of security software, weak password policies, and sharing of passwords.

b) Pick one of the above and identify what steps the company could take to protect their physical infrastructure
in the future? Evaluate your steps by explaining how your steps mitigate the risks.

Ans: To protect the physical infrastructure:

- Implement security software on all devices.

- Enforce strong password policies.

- Educate employees about password security and data sharing.

3.3 Explain Why would it be important that WIDGET need a professional cyber security officer on staff? (max 150
words)

Ans: Having a professional cybersecurity officer is vital for WIDGET because they can:

- Identify and mitigate security vulnerabilities.

- Develop and implement robust security measures.

- Monitor and respond to cyber threats.

- Provide employee training and awareness.

- Ensure compliance with security standards

© Canberra Institute of Technology Page 7 of 7 Date created: 24/08/2012

CRICOS No. 00001K | RTO Code 0101 Date updated: 30/08/2023